
<head><title></title></head>

<body><div class="iw_mail" dir="ltr">

<p style="margin:0;" dir="ltr">Hi Everyone,</p>

<p style="margin:0;" dir="ltr">I have unbound 1.6.4 installed on gentoo and doing recursive lookups. </p>

<p style="margin:0;" dir="ltr">In this example, trying to lookup a CAA record for a domain:</p>

<p style="margin:0;" dir="ltr"><br></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="font-weight:bold;color:#5454ff;background-color:#ffffff;">#</span> <span style="background-color: rgb(255, 255, 255);">time host -t CAA jhmnet.net 192.168.136.181</span><br>Using domain server:<br>Name: 192.168.136.181<br>Address: 192.168.136.181#53<br>Aliases:  <br><br>Host jhmnet.net not found: 2(SERVFAIL)<br><br>real    0m3.876s<br>user    0m0.008s<br>sys     0m0.008s<br><br>Run this again, immediately after:<br><br></span><span style="font-family:monospace"><span style="font-weight:bold;color:#5454ff;background-color:#ffffff;">#</span> <span style="background-color: rgb(255, 255, 255);">time host -t CAA jhmnet.net 192.168.136.181</span><br>Using domain server:<br>Name: 192.168.136.181<br>Address: 192.168.136.181#53<br>Aliases:  <br><br>Host jhmnet.net not found: 2(SERVFAIL)<br><br>real    0m0.016s<br>...<br><br>Implying the cache is working as expected. (</span><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);">cache-max-negative-ttl: 120)</span></span><br></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);"><br></span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);">However, after about ~9 seconds, the query goes back to taking 3-4 seconds, implying its not. Sure enough a tcpdump on the host running unbound shows it trying to access the jhmnet.net Auth server(s)</span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);"><br></span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);">Why is unbound not respecting the 2 (120second) min max-negative-ttl?</span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);"><br></span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);">In the interests of testing, this server is not serving any other dns traffic at all.</span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);">This is my configuration:</span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);"><br></span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);"><br></span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);">## Simple recursive caching DNS, UDP port 53</span><br>## unbound.conf -- <a href="https://calomel.org">https://calomel.org</a><br>#<br>server:<br>  access-control: 10.0.0.0/16 allow<br>  access-control: 127.0.0.0/8 allow<br>  access-control: 192.168.0.0/16 allow<br>  cache-max-ttl: 120<br>  cache-min-ttl: 0<br>  hide-identity: yes<br>  hide-version: yes<br>  interface: 0.0.0.0<br>  minimal-responses: yes<br>  prefetch: no<br>  rrset-roundrobin: yes<br>  use-caps-for-id: no<br>  verbosity: 1<br>  use-syslog: yes<br>  root-hints: /etc/unbound/root.hints<br>  auto-trust-anchor-file: /etc/unbound/root.key<br>  val-log-level: 2<br>#<a href="https://www.unbound.net/documentation/howto_optimise.html">https://www.unbound.net/documentation/howto_optimise.html</a><br>  num-threads: 2<br>  msg-cache-slabs: 2<br>  rrset-cache-slabs: 2<br>  infra-cache-slabs: 2<br>  key-cache-slabs: 2<br>  key-cache-size: 128m<br>  neg-cache-size: 256m<br>  rrset-cache-size: 512m<br>  msg-cache-size: 256m<br>  outgoing-range: 462<br>  num-queries-per-thread: 231<br>  so-rcvbuf: 4m<br>  so-sndbuf: 4m<br>  so-reuseport: yes<br>  jostle-timeout: 281<br># for cacti support<br>  extended-statistics: yes<br>  statistics-cumulative: yes<br>  statistics-interval: 0<br><br></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace">note: </span><span style="background-color: rgb(255, 255, 255); font-family: monospace;">cache-max-negative-ttl: 120 </span></p>

<p style="margin:0;" dir="ltr"><span style="background-color: rgb(255, 255, 255); font-family: monospace;">was set using </span></p>

<p style="margin:0;" dir="ltr"><span style="background-color: rgb(255, 255, 255); font-family: monospace;"><br></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);"># unbound-control set_option cache-max-negative-ttl: 120</span><br></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);">ok</span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);">#</span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);"><br></span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);">Thanks in advance.</span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);"><br></span></span></p>

<p style="margin:0;" dir="ltr"><span style="font-family:monospace"><span style="background-color: rgb(255, 255, 255);"><br></span></span></p>

<div class="signature"></div>

</div></body>